Use of weak hash
Description
The SHA-1 hashing algorithm is no longer considered secure for cryptographic applications due to its vulnerability to collision attacks, where two different inputs produce the same output hash. SHA-1's susceptibility to collision attacks undermines the security of cryptographic operations, allowing attackers to forge signatures or manipulate data without detection. This poses significant risks in authentication systems, data integrity validations, and secure communications.
Examples
Insecure Code
ruby
Digest::SHA1.digest('sensitive information')Secure Code
ruby
OpenSSL::Digest::SHA256.new.digest('sensitive information')Remediation
Replace the SHA1 hashing algorithm with stronger cryptographic hash functions, such as SHA-256 or SHA-3.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0522 |
| Category | Crypto |
| Severity | MEDIUM |
| CWE | CWE-328 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | hashing, collision attacks |
| OWASP | A3:2017-Sensitive Data Exposure, A02:2021-Cryptographic Failures |
References
- https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html
- https://github.com/semgrep/semgrep-rules/blob/develop/ruby/lang/security/weak-hashes-sha1.yaml
- https://shattered.io/